Posted
by
samzenpus
on Monday October 07, 2013 @10:53AM
from the protect-ya-neck dept.

Kevin Fu is a professor of electrical engineering and computer science at the University of Michigan. He heads a research group on medical-device security, Archimedes, that works to find vulnerabilities in medical equipment. WattsUpDoc, a system that can detect malware on medical devices by monitoring changes in power consumption, is based on his work. Professor Fu has agreed to put down the pacemakers for a moment and answer your questions about his work and medical device security in general. As usual, ask as many as you'd like, but please, one question per post.

i have worked at many, many of the largest and most prestigious hospitals (like hundreds of them) in this country (and many others) and all have VPNs options. Mostly IPSec but a few use other remote access tools. Its a requirement to run a hospital today.

"Poorly specified" is fair, inasmuch as it's extremely easy to rely on undefined behavior in C without knowing that one is doing so (and thus to get "compiler bugs" that aren't, when the compiler chooses to make platform-specific optimizations).

Have you explored changing the dosages on drug pumps? Either through exploiting the device directly or by exploiting the database backend? I reference the Hospira pumps that run Linux, allowing one to telnet to them as root with no password authentication. Hospira did issue an update to that but since pumps are so numerous, I'm sure that many hospitals have been slow to update.

So that we do not have to have a one-to-one relationship between patient and nurse? If these devices had no connectivity, then every patient would have to have at least one nurse in attendance at all times to monitor that the equipment is still functioning or that the various rates being measured are still within acceptable limits.

Say I have an implant that could be hacked, what can I do to protect myself? Are any vendors more reputable than others when it comes to security? Is tinfoil effective? Should I demand my doctor replaces known vulnerable equipment?

Are you following any medical device start-ups [If so what is your favorite]? As I see more low-power bluetooth implementations, I see the possibilty for bluesnarfing, any pointers for good software/electrical security design?

In commercial aircraft, there used to be a rule that the aircraft could be flown entirely by hand. Yes, you can even fly a 747 by hand if the systems fail. Is it feasible to have such a rule for medical devices? Does such a rule exist?

There is a difference between "fly by hand" and "fly without depending on the computer" -- in today's modern fly-by-wire aircraft, there are still computers/electronics between the pilot and the control surfaces even when the flight management system, auto-pilot and even primary flight controls are "down".

The question is what failure modes, considering the presence of security threats, require simple back-up systems? How would such back-up systems be invoked?

This is usually not possible. Many of these medical devices don't run Windows or Linux. They are embedded systems with real time operating systems, embedded operating systems, a home grown operating system, and sometimes no OS at all. Other times the applications are statically linked with the OS so that it is unable to be upgraded independently.

That is different from medical turnkey systems that are basically generic computers overlaid with specialized applications (hospital records keeping, image manag

How do you create incentives for the companies that make these devices to make them secure?

The current comments on the draft for "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" pertaining to 21 CFR 820.30(g) have a disturbing trend of focusing on "unauthorized access" of these devices to be considered criminal (CFAA) instead of trying to protect against said access. Furthermore, I find any discussion of encrypting the data immediately turns to data bloat due to encr

What can those of us that have an implanted medical device do to protect ourselves now? I have Boston Scientific ICD, but due to the circumstances in which I was given the device it's not like I was able to make a choice in the matter. I couldn't do any research to determine which might be the most secure device to go with. So I am stuck with what I have, with no real knowledge of how secure it is and what my risks may be.

Being a highly regulated industry, I could see the eventual evolution of a competent security culture in medical IT/manufacturing. We certainly don't have it quite together now, but if and when that comes to pass, do you see the lessons learned in that sector promulgating out to other industries, or will the environment of high regulation (and high stakes) produce too alien a solution set for general application?

Is it feasible, for at least some devices, to embed in them a closed set of commands that are acceptable and have them automatically reject any other commands (e.g., prevent buffer overflow and sql injection sorts of things)?

I work in data acquisition and some of the equipment we have, digital multimeters, digital spectroscopes, run things like Win2K SP1 or XP SP1... Security updates were never 'though of' for those things. If we were to put them on an unsecured network they'd get owned in 20 seconds flat. It's terrifying but we know how to deal with it: don't even connect them to the internal subnet ! Is it as bad with medical devices ?

Besides the obvious "Pumps are easy hacking targets," and "It's a CGM, not an artificial pancras you marketing schmuck,"... It's obvious we need better firmware and 3rd party testing for these devices. Medtronic in particular seems to be challenged [richthediabetic.com] in the data-accuracy [diabetesdaily.com] department. Their Continuous Glucose Monitors [medtronicdiabetes.com] seem to be the most expensive and most inaccurate glucometers manufactured in the past 20 years. Although I'd like to know what legislative hurdles remain for the creation of more open devices for

I have in mind soliciting donations of Implantable Medical Devices, building a Programmer such as you describe in some of the papers you've published, then holding an annual hackathon of the IMD's. Figure out how to crack them and control them, then give the results to the manufacturers. Each year, we publish last year's results and crack another batch.
I'm sure this plan presents ethical dilemmas in some peoples' minds but to me those are nothing compared to the even worse ethics of letting crappy code s